This Privacy Policy describes what data Lewsnetter ("we," "us") collects when you use our email-marketing service ("Lewsnetter"), why we collect it, how it's stored, and what rights you have over it. It applies to both account holders ("you," "customers") and your end recipients ("subscribers").
1. Roles under data-protection law
When you upload your subscriber list to Lewsnetter, you are the data controller and Lewsnetter is the data processor under GDPR, CCPA, and equivalent regimes. You decide who is in your audience and why; we process that data only to deliver the email service you've configured. Our processing obligations are governed by our Data Processing Agreement.
2. What we collect
2.1 Account data (you, the customer)
- Email address, name, and password (hashed)
- Team name + your role within it
- Your Amazon SES credentials, encrypted at rest with Rails ActiveRecord Encryption
- OAuth application credentials you create for API/MCP access
- Standard request logs (IP address, user agent, timestamp) for ~30 days
2.2 Subscriber data (your audience)
- Email address — encrypted at rest (AES-GCM via Rails ActiveRecord Encryption, deterministic mode so we can still de-duplicate)
- Name — encrypted at rest (non-deterministic)
- External ID — your source-app's identifier for the subscriber (plaintext, used for idempotent upserts)
- Custom attributes — whatever metadata you push (plan tier, tenant type, tags, etc.). Stored as JSON in your team's row, not encrypted at the column level so we can run segmentation queries on them. Filesystem-encrypted via Hetzner volume + Cloudflare R2 server-side encryption.
- Subscription status, opt-in/opt-out timestamps, bounce/complaint timestamps
- "Last contacted" and "times contacted" counters bumped on each campaign send
2.3 Campaign content
Subject lines, MJML/HTML/Markdown body, attachments. Stored alongside your team's data and rendered per-recipient at send time. We do not retain a copy of the rendered message after handoff to your SES account.
3. Where data lives
- Primary database: SQLite on a Hetzner Cloud server (CPX21 in Ashburn, VA, USA). Disk encryption at the Hetzner volume level.
- Backups: Litestream streams SQLite WAL segments to Cloudflare R2, encrypted in transit (TLS) and at rest (R2 server-side encryption).
- Outbound mail: When you configure SES credentials, the actual send happens from your own Amazon SES account in the AWS region you specify. Lewsnetter does not retain a copy of the rendered email after dispatch. AWS is your sub-processor for delivery, not ours.
4. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Application hosting + primary database | USA (Ashburn, VA) |
| Cloudflare, Inc. | DNS, TLS termination, R2 backup storage | Global edge |
| GitHub, Inc. | Container registry (GHCR) for deploy images | USA |
When you configure your own AWS SES credentials, Amazon Web Services becomes your sub-processor (not ours) for the outbound email leg.
5. How long we keep data
- Subscribers: retained indefinitely while you keep them in your audience. Deleted permanently when you call
DELETE /api/v1/teams/:slug/subscribers/by_external_id/:id, when you delete the team, or when you cancel your account. - Campaign records + send statistics: retained for the lifetime of your account.
- Request logs: 30 days, then purged.
- Backup snapshots: 7 days of WAL history on R2.
6. Your rights (and your subscribers' rights)
You can:
- Access any subscriber's data via the API or the Account UI.
- Update any subscriber's record at any time.
- Delete any subscriber permanently via the API (GDPR right to erasure). Deletion is immediate; the row is destroyed within ~5 seconds of the API call returning 200.
- Export your full subscriber list via
GET /api/v1/teams/:slug/subscribers.
Your subscribers can unsubscribe via the one-click unsubscribe link footer on every campaign (RFC 8058 compliant). Unsubscribed subscribers are not deleted; their subscription state flips to false and they're excluded from future sends.
7. Security
- TLS 1.2+ on every connection (Cloudflare Full Strict mode)
- Subscriber email + name encrypted at rest with AES-GCM
- Customer's SES credentials encrypted at rest with the same scheme
- Database backups encrypted in transit + at rest
- Production access limited to maintainers
- Dependencies monitored via GitHub Dependabot
8. Children
Lewsnetter is not directed at children under 16, and we do not knowingly collect data from them. If you believe a subscriber's data falls under children's-privacy rules in your jurisdiction, you must obtain appropriate consent before pushing it to us.
9. Changes
We will update this policy if our practices change. Material changes will be announced via email to account holders + the date at the top of this page will reflect the update.
10. Contact
Privacy questions, deletion requests, sub-processor concerns: [email protected].
Abuse / spam reports: [email protected].